Local Government and Education Cybersecurity Advisory

Local Government and Education Institutions are under increasing threat from cyber criminals. Explore how these critical sectors can level up their cybersecurity posture.
Local Government Education Cybersecurity

Table of Contents

The Local Government and Education sectors have embraced rapid technological advancements, driven by connectivity and AI, with a 2024 budget of $138.9 billion. This surge aims to improve service delivery but also increases cybersecurity risks. Recognizing these threats, the U.S. government designated the education sector as critical infrastructure and established the Education Facilities Subsector Government Coordinating Council (GCC). The GCC enhances cybersecurity by promoting collaboration among federal, state, and local agencies. This advisory outlines the significance of safeguarding sensitive data, the impact of ransomware, and essential strategies for protecting local government and education institutions against cyber threats.

Accelerating Technology Adoption in SLED

Increased inter-connectivity and Artificial Intelligence (AI) propels technological advancements within the State, Local Government, and Education (SLED) sector. According to statistics, the education sector is poised to lead this technological surge, aiming to enhance competitiveness in delivering services to students. Significant allocations have been made for technology spending, with a total budget of $138.9 billion across SLED for 2024. IT services account for $59 billion within this budget, while software products represent $13 billion. Forecasts indicate a notable increase in these figures by 2025, with IT services expected to rise to $61 billion and software products to $14 billion, reflecting the sector’s commitment to continuous innovation and advancement.

However, these new technologies, automation processes, and interconnected systems are giving rise to fresh challenges and risks. Within local government and education institutions, there’s a growing dependence on technology for essential functions, including the storage of sensitive data such as financial records, student information, and research findings. This heavy reliance expands the potential attack surface, providing cybercriminals with greater opportunities for exploitation.

Designation of Education as Critical Infrastructure

In recognition of the growing cyber threats facing educational institutions, the U.S. government has officially designated the education sector as critical infrastructure. This designation underscores the importance of protecting the sensitive data and technological systems used in schools. In response, the Department of Education, in collaboration with the Cybersecurity and Infrastructure Security Agency (CISA), has established the Education Facilities Subsector Government Coordinating Council (GCC). This council aims to enhance cybersecurity resilience across K-12 schools by fostering collaboration between federal, state, and local agencies. Through information sharing and strategic defense measures, the GCC seeks to safeguard educational environments against cyber threats, ensuring the security of student and institutional data​. However, this move also implies that schools may encounter increased oversight, regulation, and reporting requirements.

The sensitivity of information held by educational institutions is often underestimated, yet it encompasses a wealth of records that could be exploited in detrimental ways. These records may include details on students with health issues, specific ethnic backgrounds, drug usage reports, and disciplinary records. If such information were to become public, the potential harm to these students could be irreparable.

Impact of Ransomware on Local Government and Education

In 2023 Ransomware groups have achieved an unprecedented milestone by extracting over $1 billion in cryptocurrency payments from their victims. Aditionally, over the past two years, more than a hundred educational institutions have fallen victim to ransomware attacks perpetrated by various criminal groups, and the cost of recovery is estimated at $1.8 million USD. In secondary schools, according to the latest Emisoft report, the number of affected institutions has nearly doubled compared to two years ago, totaling 108.

Local Government Education Cybersecurity

Pysa Ransomware Group

Pysa ransomware emerged as a significant threat in 2023, primarily targeting educational institutions and local government organizations in the U.S. Originally known as Mespinoza, the group began operations in late 2018, producing .locked files. However, in December 2019, they rebranded to Pysa ransomware, changing the file extension to .pysa. 

Notably, at least three variants of this ransomware have been detected to date, all characterized by the use of Living-off-the-Land (LotL) techniques with PowerShell, Python, and Bash scripts. Like most ransomware groups, this gang employs phishing as an initial attack vector, along with frequent usage of infostealers and the exploitation of misconfigured and exposed RDP access.

Notable Recent Ransomware Incidents

In 2023, several high-profile attacks targeted educational infrastructure, leaving a significant impact. Among the notable incidents were the following:

  1. Clark County School District, Nevada (September 2023):
    • Over 200,000 students were affected, resulting in the compromise of profiles and sensitive information.
  2. Los Angeles Unified School District (LAUSD) (October 2023):
    • More than 2,000 student records were exposed on the dark web, including COVID-19 certificates.
  3. Anoka-Hennepin Public Schools, Minnesota (May 2023):
    • Sensitive data, particularly related to allegations of sexual violence, was unlawfully disclosed.
    • The ransom demanded amounted to a staggering $1 million USD.

More than 670,000 students were affected in the last year and the tendency is on the rise. These incidents underscore the pressing need for enhanced cybersecurity measures within the education sector to safeguard student data and maintain trust in educational institutions.

Education Sector Vulnerability & Recovery Time

The Education sector stands as one of the most vulnerable to the impacts of ransomware attacks, experiencing recovery times slower than in previous years. The increasing complexity of these attacks has posed significant challenges in maintaining operational continuity.

Local Government Education Cybersecurity
Source: Sophos State of Ransomware in Education 2023

Common Attack Vectors and Techniques

However, sophisticated cyberattacks are comprised of elaborate chains of multiple steps, often involving a combination of automated and manual processes. Regardless of the level of automation at each step, criminals exploit some vulnerabilities in defense systems. Typically, initial access is facilitated through smaller artifacts like infostealers or Remote Access Trojans (RATs), commonly distributed via email or phishing attempts. The emergence of Initial Access Brokers (IAB) has streamlined these initial steps, emphasizing the significance of every threat in the cybersecurity landscape.

The Achilles heel of this attack chain is that at some point the attacker must use the network to communicate with the attack process, in 2023 Lumu detected an interesting variety of malware in SLED sector, highlighting the high presence of stealers, trojans, RATs and related with initial access:

Malware Affecting SLED Institutions

Local Government Education Cybersecurity

MITRE ATT&CK Matrix™ for SLED Ransomware 

Considering the most important ransomware gangs that have targeted the SLED sector, the MITRE ATT&CK Matrix provides a detailed overview of the common techniques through the cyber kill chain employed by these attackers. This information is invaluable for fortifying defense systems and being prepared to detect these types of adversaries. The following table shows the adversarial TTPs (Tools Techniques and Procedures) that most commonly affect SLED organizations, as identified by Lumu.

TTP

TTP Number

*Heat

Data Encrypted for Impact 

T1486

4

Exfiltration 

TA0010

4

Phishing 

T1566

3

Inhibit System Recovery 

T1490

3

Valid Accounts 

T1078

3

External Remote Services 

T1133

2

Windows Management Instrumentation 

T1047

2

Command and Scripting Interpreter

T1059

2

Deobfuscate/ Decode Files or Information

T1140

2

Scheduled Task/Job: Scheduled Task 

T1053.005

2

Create or Modify System Process: Windows Service 

T1543.003

2

Masquerading 

T1036.003

2

Impair Defenses 

T1562

2

OS Credential Dumping

T1003

2

Remote Services: Remote Desktop Protocol 

T1021.001

2

Service Stop 

T1489

2

Exfiltration Over C2 Channel

T1041

2

Indicator Removal on Host: File Deletion

T1070.004

2

System Information Discovery 

T1082

2

*Heat represents how frequently this TTP is used by ransomware gangs that most commonly target SLED sectors.

Cybersecurity Recommendations for SLED

Embrace Automation: SLED organizations often don’t have the same resources available as other entities that have to operate cybersecurity. To compensate, technology needs to step up by automatically detecting and responding to threats, without overwhelming cybersecurity staff.

Develop Network Visibility: Every successful attack manages to bypass one or more cybersecurity defenses like firewalls, email security, or endpoint detection and response. It’s therefore critical to deploy additional measures to find threats that have already bypassed those other defenses in real time.

General Ransomware Preparedness: Deploy standard defenses against ransomware attacks, like backup and recovery planning, network segmentation, and privilege management.

Reduce your attack surface and external threats by investigating possible compromises in credentials and accounts related to your company, infostealers are the most common method used by attackers to gain initial access in ransomware attack chains.

CONCLUSIONS

The constant evolution of interconnected technologies and information processes, specifically designed for the government and education sectors has made them one of the most attractive targets for ransomware groups. These groups capitalize on the sector’s comparatively weaker security systems to orchestrate attacks. Considering the prolonged recovery times, these attacks result in substantial operational disruptions. Consequently, many institutions are compelled to pay substantial sums to decrypt their data.

Local government and education institutions must recognize the critical sensitivity of student and operational data and take prompt measures to monitor their systems and networks. It’s imperative to prepare institutions to modernize the continuous monitoring of systems and networks and streamline incident response actions, ensuring agility and effectiveness in addressing potential cybersecurity threats.

Learn more about the cybersecurity challenges SLED organizations face here.

Subscribe to Our Blog

Get the latest cybersecurity articles and insights straight from the experts.

Share this post

RELATED POSTS

There is no zero trust without visibility
Trends

There Is No Zero Trust Without Visibility

Reading Time: 3 mins ‘Dr. Zero Trust’ Chase Cunningham looks at Zero Trust, network visibility’s importance, and the Forrester Wave™: Network Analysis and Visibility Q2 2023